mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-07 09:09:23 +00:00
2ed90cb093
Read mmu_invalidate_seq before dropping the mmap_lock so that KVM can
detect if the results of vma_lookup() (e.g. vma_shift) become stale
before it acquires kvm->mmu_lock. This fixes a theoretical bug where a
VMA could be changed by userspace after vma_lookup() and before KVM
reads the mmu_invalidate_seq, causing KVM to install page table entries
based on a (possibly) no-longer-valid vma_shift.
Re-order the MMU cache top-up to earlier in user_mem_abort() so that it
is not done after KVM has read mmu_invalidate_seq (i.e. so as to avoid
inducing spurious fault retries).
It's unlikely that any sane userspace currently modifies VMAs in such a
way as to trigger this race. And even with directed testing I was unable
to reproduce it. But a sufficiently motivated host userspace might be
able to exploit this race.
Note KVM/ARM had the same bug and was fixed in a separate, near
identical patch (see Link).
Link: https://lore.kernel.org/kvm/20230313235454.2964067-1-dmatlack@google.com/
Fixes:
|
||
|---|---|---|
| .. | ||
| Kconfig | ||
| main.c | ||
| Makefile | ||
| mmu.c | ||
| tlb.c | ||
| vcpu.c | ||
| vcpu_exit.c | ||
| vcpu_fp.c | ||
| vcpu_insn.c | ||
| vcpu_pmu.c | ||
| vcpu_sbi.c | ||
| vcpu_sbi_base.c | ||
| vcpu_sbi_hsm.c | ||
| vcpu_sbi_pmu.c | ||
| vcpu_sbi_replace.c | ||
| vcpu_sbi_v01.c | ||
| vcpu_switch.S | ||
| vcpu_timer.c | ||
| vm.c | ||
| vmid.c | ||